ProblemChild Getting Started question

Hello,

Just read through ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack | Elastic Blog
which all seems super interesting.

So.. Forgive me for my noobish questions.. But I was wondering how exactly I should start building this on my own Elastic stack.
I guess I need to store the scripts first with How to write scripts | Elasticsearch Guide [7.12] | Elastic ?

As I'm using Winlogbeat, am I supposed to use this pipeline examples/problemchild_features.json at master · elastic/examples · GitHub
while ingesting winlogbeat data so my winlogbeat data contains the correct features fields?

And then do data fram analytics classification on the resulting winlogbeat index?

Best regards,

Willem

Hello @willemdh!

Thanks for reaching out. Hope this answers your questions:
Yes you'll first need to set all the scripts (ngram_extractor, normalize_ppath, features_winlogbeat) in your cluster state.
You will then set this ingest pipeline.
Once you've set those, I would suggest using the ingest pipeline to re-index your raw winlogbeat data into another index and using that index to run your Data Frame Analytics jobs. Hope this helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.